Date: Mon, 5 Nov 2001 21:19:22 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Luigi Rizzo <rizzo@aciri.org> Cc: <cjclark@alum.mit.edu>, <freebsd-net@FreeBSD.ORG> Subject: Re: limiting outgoing ICMP's Message-ID: <20011105211012.V31861-100000@achilles.silby.com> In-Reply-To: <20011105184856.B79198@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 5 Nov 2001, Luigi Rizzo wrote: > Am i wrong or all of the ICMP_BANDLIM stuff only deals with > _incoming_ ICMP messages, and udp badport ? The current setup is that badport_bandlim is called whenever a packet with an abuseable response is received; if more than X per second have been responded to, no more replies will be issued that second. However, it could be just as easily used if hooked in at the output stage. > I see no way to intercept calls to icmp_error(), which is > invoked both by ip_input and ip_fw. > > BTW, why the check to badport_bandlim is not moved inside > icmp_error itself ? You could add a new limiting type inside icmp_error if you wish; there's no such call at present because nobody thought of it yet. > For the records, the problem came out when sending packets to > a FreeBSD router box which did not have a default route nor a route > for the intended destination of the packet. Pretty easy to test. > > cheers > luigi Ah, that issue hadn't come up on my little LAN. :) Sounds like a good place to rate limit replies, though. Just add your new types into icmp_var.h, add the new string into ip_icmp.c, add calls to badport_bandlim at appropriate locations, and you should be done. I'd be glad to give a quick glance over the finished patch. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011105211012.V31861-100000>